use of org.apache.directory.fortress.core.FinderException in project directory-fortress-core by apache.
the class PermDAO method revoke.
/**
* @param pOp
* @param role
* @throws org.apache.directory.fortress.core.UpdateException
*
* @throws org.apache.directory.fortress.core.FinderException
*/
void revoke(Permission pOp, Role role) throws UpdateException, FinderException {
LdapConnection ld = null;
String dn = getDn(pOp, pOp.getContextId());
try {
List<Modification> mods = new ArrayList<Modification>();
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, ROLES, role.getName()));
ld = getAdminConnection();
modify(ld, dn, mods, pOp);
} catch (LdapNoSuchAttributeException e) {
String warning = "revoke perm object [" + pOp.getObjName() + "] operation [" + pOp.getOpName() + "] name [" + role.getName() + "] assignment does not exist.";
throw new FinderException(GlobalErrIds.PERM_ROLE_NOT_EXIST, warning);
} catch (LdapException e) {
String error = "revoke perm object [" + pOp.getObjName() + "] operation [" + pOp.getOpName() + "] name [" + role.getName() + "] caught LdapException=" + e.getMessage();
throw new UpdateException(GlobalErrIds.PERM_REVOKE_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
}
use of org.apache.directory.fortress.core.FinderException in project directory-fortress-core by apache.
the class PermDAO method getPermAttributeSet.
PermissionAttributeSet getPermAttributeSet(PermissionAttributeSet permAttributeSet) throws FinderException {
PermissionAttributeSet entity = null;
LdapConnection ld = null;
String dn = getDn(permAttributeSet, permAttributeSet.getContextId());
try {
ld = getAdminConnection();
Entry findEntry = read(ld, dn, PERMISION_ATTRIBUTE_SET_ATRS);
if (findEntry == null) {
String warning = "getPermAttributeSet no entry found dn [" + dn + "]";
throw new FinderException(GlobalErrIds.PERM_ATTRIBUTE_SET_NOT_FOUND, warning);
}
entity = unloadPASetLdapEntry(findEntry, 0);
// find permission attributes for this set
entity.setAttributes(this.findPermissionAttributes(entity));
} catch (LdapNoSuchObjectException e) {
String warning = "getPermAttributeSet COULD NOT FIND ENTRY for dn [" + dn + "]";
throw new FinderException(GlobalErrIds.PERM_ATTRIBUTE_SET_NOT_FOUND, warning);
} catch (LdapException e) {
String error = "getPermAttributeSet dn [" + dn + "] caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_ATTRIBUTE_SET_NOT_FOUND, error, e);
} finally {
closeAdminConnection(ld);
}
return entity;
}
use of org.apache.directory.fortress.core.FinderException in project directory-fortress-core by apache.
the class PermDAO method findAnyPermissions.
/**
* Uses substring filters to allow any permission matching the passed in obj and op names.
*
* @param permission
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<Permission> findAnyPermissions(Permission permission) throws FinderException {
List<Permission> permList = new ArrayList<>();
LdapConnection ld = null;
String permRoot = getRootDn(permission.isAdmin(), permission.getContextId());
try {
String permObjVal = encodeSafeText(permission.getObjName(), GlobalIds.PERM_LEN);
String permOpVal = encodeSafeText(permission.getOpName(), GlobalIds.PERM_LEN);
StringBuilder filterbuf = new StringBuilder();
filterbuf.append(GlobalIds.FILTER_PREFIX);
filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
filterbuf.append(")(|");
if (permObjVal != null && permObjVal != "") {
filterbuf.append("(");
filterbuf.append(GlobalIds.POBJ_NAME);
filterbuf.append("=*");
filterbuf.append(permObjVal);
filterbuf.append("*)");
}
if (permOpVal != null && permOpVal != "") {
filterbuf.append("(");
filterbuf.append(GlobalIds.POP_NAME);
filterbuf.append("=*");
filterbuf.append(permOpVal);
filterbuf.append("*)");
}
filterbuf.append("))");
ld = getAdminConnection();
SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permission.isAdmin()));
}
} catch (LdapException e) {
String error = "findAnyPermissions caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "findAnyPermissions caught CursorException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return permList;
}
use of org.apache.directory.fortress.core.FinderException in project directory-fortress-core by apache.
the class PermDAO method findPermissions.
/**
* @param permission
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<Permission> findPermissions(Permission permission) throws FinderException {
List<Permission> permList = new ArrayList<>();
LdapConnection ld = null;
String permRoot = getRootDn(permission.isAdmin(), permission.getContextId());
try {
String permObjVal = encodeSafeText(permission.getObjName(), GlobalIds.PERM_LEN);
String permOpVal = encodeSafeText(permission.getOpName(), GlobalIds.PERM_LEN);
StringBuilder filterbuf = new StringBuilder();
filterbuf.append(GlobalIds.FILTER_PREFIX);
filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
filterbuf.append(")(");
filterbuf.append(GlobalIds.POBJ_NAME);
filterbuf.append("=");
filterbuf.append(permObjVal);
filterbuf.append("*)(");
filterbuf.append(GlobalIds.POP_NAME);
filterbuf.append("=");
filterbuf.append(permOpVal);
filterbuf.append("*))");
ld = getAdminConnection();
SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permission.isAdmin()));
}
} catch (LdapException e) {
String error = "findPermissions caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "findPermissions caught CursorException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return permList;
}
use of org.apache.directory.fortress.core.FinderException in project directory-fortress-core by apache.
the class PermDAO method checkPermission.
/**
* This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
* It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
* record storage on ldap server but can be disabled.
*
* @param session contains {@link Session#getUserId()}, for impl check {@link org.apache.directory.fortress.core.model.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.model.Session#getAdminRoles()}.
* @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link org.apache.directory.fortress.core.model.Permission#objId} is optional.
* @return boolean containing result of check.
* @throws org.apache.directory.fortress.core.FinderException
* In the event system error occurs looking up data on ldap server.
*/
boolean checkPermission(Session session, Permission inPerm) throws FinderException {
boolean isAuthZd = false;
LdapConnection ld = null;
String dn = getOpRdn(inPerm.getOpName(), inPerm.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + inPerm.getObjName() + "," + getRootDn(inPerm.isAdmin(), inPerm.getContextId());
try {
ld = getAdminConnection();
// LDAP Operation #1: Read the targeted permission from ldap server
Entry entry = read(ld, dn, PERMISSION_OP_ATRS);
if (entry == null) {
// if permission not found, cannot continue.
String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
throw new FinderException(GlobalErrIds.PERM_NOT_EXIST, error);
}
// load the permission entity with data retrieved from the permission node:
Permission outPerm = unloadPopLdapEntry(entry, 0, inPerm.isAdmin());
// The admin flag will be set to 'true' if this is an administrative permission:
outPerm.setAdmin(inPerm.isAdmin());
// Pass the tenant id along:
outPerm.setContextId(inPerm.getContextId());
// The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
// The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
// Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
String attributeValue;
// This method determines if the user is authorized for this permission:
isAuthZd = isAuthorized(session, outPerm);
// This is done to leave an audit trail in ldap server log:
if (isAuthZd) {
// Yes, set the operation name onto this attribute for storage into audit trail:
attributeValue = outPerm.getOpName();
} else {
// Changing this attribute value forces the compare to fail. This facilitates tracking of authorization failures events in the slapd access log (by searching for compare failures).
attributeValue = outPerm.getOpName() + GlobalIds.FAILED_AUTHZ_INDICATOR;
}
// LDAP Operation #2: Compare.
if (!session.isGroupSession()) {
addAuthZAudit(ld, dn, session.getUser().getDn(), attributeValue);
}
} catch (LdapException e) {
if (!(e instanceof LdapNoSuchObjectException)) {
String error = "checkPermission caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_READ_OP_FAILED, error, e);
}
// There is a switch in fortress config to disable the audit ops.
if (!session.isGroupSession()) {
addAuthZAudit(ld, dn, session.getUser().getDn(), "AuthZ Invalid");
}
} finally {
closeAdminConnection(ld);
}
return isAuthZd;
}
Aggregations